Tech-
invite
3GPP
space
IETF
RFCs
SIP
Quick
21
22
23
24
25
26
27
28
29
31
32
33
34
35
36
37
38
4‑5x
Content for
TS 33.222
Word version: 17.1.0
0…
4…
4
Overview of the Security Architecture
5
Authentication schemes
6
Use of Authentication Proxy
A
Technical Solutions for Access to Application Servers via Authentication Proxy and HTTPS
B
Guidance on Certificate-based mutual authentication between UE and application server
C
Considerations for GBA security using a web browser and Javascript
D
Security measures for usage of GBA with a web browser
$
Change history
4
Overview of the Security Architecture
Word‑p. 8
5
Authentication schemes
Word‑p. 9
5.1
Reference model
Word‑p. 9
5.2
General requirements and principles
Word‑p. 9
5.2.1
Requirements on the UE
Word‑p. 9
5.2.2
Requirements on the NAF
Word‑p. 9
5.3
Shared key-based UE authentication with certificate-based NAF authentication
Word‑p. 10
5.3.0
Procedures
|R11|
Word‑p. 10
5.3.1
TLS profile
Word‑p. 11
5.3.1.0
General
|R11|
Word‑p. 11
5.3.1.1
Protection mechanisms
Word‑p. 12
5.3.1.2
Void
5.3.1.3
Authentication of the AP/AS
Word‑p. 12
5.3.1.4
Authentication Failures
Word‑p. 12
5.3.1.5
Set-up of Security parameters
Word‑p. 12
5.3.1.6
Error cases
Word‑p. 12
5.4
Shared key-based mutual authentication between UE and NAF
Word‑p. 13
5.4.0
Procedures
|R11|
Word‑p. 13
5.4.0.0
General
|R17|
Word‑p. 13
5.4.0.1
TLS 1.2
|R17|
Word‑p. 13
5.4.0.2
TLS 1.3
|R17|
Word‑p. 14
5.4.1
TLS Profile
Word‑p. 15
5.4.1.0
General
|R11|
Word‑p. 15
5.4.1.1
Protection mechanisms
Word‑p. 16
5.4.1.2
Authentication of the AP/AS
Word‑p. 16
5.4.1.3
Authentication Failures
Word‑p. 16
5.4.1.4
Set-up of Security parameters
Word‑p. 16
5.5
Certificate based mutual authentication between UE and application server
Word‑p. 16
5.5.1
General
|R7|
Word‑p. 16
5.5.2
TLS Profile
|R7|
Word‑p. 16
5.5.2.1
General
Word‑p. 16
5.5.2.2
Protection mechanisms
Word‑p. 17
5.5.2.3
Void
6
Use of Authentication Proxy
Word‑p. 18
6.1
Architectural view
Word‑p. 18
6.2
Requirements and principles
Word‑p. 19
6.4
Reference points
Word‑p. 20
6.4.1
Ua reference point
Word‑p. 20
6.4.2
AP-AS reference point
Word‑p. 20
6.5
Management of UE identity
Word‑p. 20
6.5.1
Granularity of Authentication and Access Control by AP
Word‑p. 20
6.5.1.1
Authorised Participant of GBA
Word‑p. 20
6.5.1.2
Authorised User of Application
Word‑p. 21
6.5.2
Transfer of Asserted Identity from AP to AS
Word‑p. 21
6.5.2.1
Authorised Participant of GBA
Word‑p. 21
6.5.2.2
Authorised User of Application Anonymous to AS
Word‑p. 21
6.5.2.3
Authorised User of Application with Transferred Identity asserted to AS
Word‑p. 21
6.5.2.4
Authorised User of Application with Transferred Identity asserted to AS and Check of User Inserted Identity
Word‑p. 22
A
Technical Solutions for Access to Application Servers via Authentication Proxy and HTTPS
Word‑p. 23
B
Guidance on Certificate-based mutual authentication between UE and application server
Word‑p. 24
C
Considerations for GBA security using a web browser and Javascript
|R12|
Word‑p. 25
C.1
Usage Scenario
Word‑p. 25
C.2
Threats
Word‑p. 25
C.3
Control of GBA Credentials and GBA Module in the UE
Word‑p. 26
C.3.1
General
Word‑p. 26
C.3.2
Control Mechanism 1- Same Origin Authentication Tokens
Word‑p. 26
C.3.3
Control Mechanism 2 - Server Authenticated TLS
Word‑p. 26
C.3.4
Control Mechanism 3 - Channel Binding
Word‑p. 26
C.3.5
Control Mechanism 4 - Key Usage
Word‑p. 26
C.4
Security Considerations
Word‑p. 27
C.4.1
General Scripting Security Considerations
Word‑p. 27
C.4.2
GBA key control
Word‑p. 27
C.4.3
User grants
Word‑p. 27
C.4.4
Root CAs in Browser
Word‑p. 27
D
(Normative) Security measures for usage of GBA with a web browser
|R12|
Word‑p. 29
D.1
Extension of Protocol Mechanism used on Ua Reference Point
Word‑p. 29
D.1.1
General
Word‑p. 29
D.1.2
Key derivation
Word‑p. 29
D.1.3
Channel binding
Word‑p. 29
D.1.3.1
Background
Word‑p. 29
D.1.3.2
Channel binding using RFC 5705 and RFC 5929
Word‑p. 30
D.2
Sequence flow
Word‑p. 30
D.2.1
Sequence flow with channel binding
Word‑p. 30
D.3
Javascript GBA API description
Word‑p. 34
D.3.1
GBA API Description
Word‑p. 34
D.3.2
API usage
Word‑p. 35
$
Change history
Word‑p. 36